---
title: "Security"
---

The grid allows you to work with security tools and parameters to make your application meet your business requirements.

## Content Security Policy (CSP)

The basic information on Content Security Policy can be found on the [MDN web docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) website and will cover the necessary information on the subject. The grid works with CSP, but some basic configuration is necessary to have your application load correctly. Below is detailed what the minimum set of CSP rules for the grid is and why.

### script-src

Some optional grid features compile string expressions into code, and if you're using these then the `script-src 'unsafe-eval'` directive is required. However, it is possible to avoid this requirement as listed below:

 * Many grid properties such as [Cell Class Rules](./cell-styles/#cell-class-rules) and [Value Getters](./value-getters/) allow using expressions. However, this requires `script-src 'unsafe-eval'`. In order to avoid this requirement, replace expressions with functions as shown in the example below for the cellClassRules property of a column definition:
    * `{ 'is-negative': 'value < 0' }` requires `script-src 'unsafe-eval'` so that `'value < 0'` can be compiled into a function.
    * `{ 'is-negative': params => params.value < 0 }` does not because you have provided a function.

### style-src

[Themes](./theming) work by injecting CSS styles into the DOM when the grid initialises. By default this requires a `style-src 'unsafe-inline'` directive in your CSP.

However, you can avoid this requirement using the `styleNonce` grid option as shown below. The `styleNonce` property should be set to a random value that changes with each page load.

```{% frameworkTransform=true %}
const gridOptions = {
    styleNonce: "416d1177"
}
```

This sets the nonce attribute on the style tag, so the grid will now work with the CSP directive `style-src 'nonce-416d1177'` without the need for `'unsafe-inline'`.

CSP nonces are global to a page, so when a page has multiple grids, all grids must have the same styleNonce set. Consider using [global grid options](./grid-interface/#global-grid-options) to set the styleNonce property to all grids.

### img-src

The `img-src data:` directive is required because the grid uses data urls to embed SVG images in CSS files.

### font-src

If you are using [legacy themes](./theming-v32/) then the `font-src data:` directive is required. This is because legacy themes use data urls to embed the icon font CSS files. Theming API themes use SVG icons and so do not require this.

If you use the `loadThemeGoogleFonts` grid option, fonts will be loaded from the Google font CDN, which requires the `font-src fonts.gstatic.com` directive.

### Example locked-down CSP

This example CSP below allows the grid to be run in a secure manner:

```html
<meta http-equiv="Content-Security-Policy"
      content="default-src 'self'; style-src 'self' 'nonce-123xyz'; img-src 'self' data:">
```

It assumes:

1. The application loads assets from the same server (`'self'`)
2. You do not use string expressions in grid options
3. You are using [Theming API](./theming/) instead of [legacy themes](./theming-v32/), and are not using loadThemeGoogleFonts
4. The random string passed to `gridOptions.styleNonce` on this page load is "123xyz"

## Security Vulnerability Testing

Applications may be required to pass an Application Security Test prior to being put into production. If your application is using AG Grid, you will want to make sure that AG Grid has also been tested for security vulnerabilities.

AG Grid is tested for a wide variety of security vulnerabilities using the [SonarQube](https://www.sonarqube.org/) automatic security testing tool. SonarQube performs testing using a number of security rules, covering well-established security vulnerability standards such as CWE, SANS Top 25 and OWASP Top 10. For more details please refer to the section on [Security-related Rules](https://docs.sonarqube.org/latest/user-guide/security-rules/#header-2).

## SonarQube Results

The SonarQube security test results for our main NPM packages are shown below:


| AG-Grid Package           | Result |
| ------------------------- | ------ |
| ag-grid-community         | [![Quality Badge](https://sonarcloud.io/api/project_badges/quality_gate?project=ag-grid-community)](https://sonarcloud.io/dashboard?id=ag-grid-community) |
| ag-grid-enterprise        | [![Quality Badge](https://sonarcloud.io/api/project_badges/quality_gate?project=ag-grid-enterprise)](https://sonarcloud.io/dashboard?id=ag-grid-enterprise) |

Results for AG-Charts are available distinctly: [AG Charts - SonarQube Results](https://www.ag-grid.com/charts/javascript/security/#sonarqube-results)

## Common Vulnerabilities and Exposures (CVE)

Currently reported CVEs and their resolutions:

| AG Grid Package     | CVE                                                              |  Issue Ticket | Version Fixed                                                 |
| -------------------- | --------------------------------------------------------------- | ------------- | ------------------------------------------------------------- |
| ag-grid-community  | [CVE-2017-16009](https://www.cve.org/CVERecord?id=CVE-2017-16009) | AG-5107       | [25.2.0](https://www.ag-grid.com/changelog?fixVersion=25.2.0) |
| ag-grid-enterprise | [CVE-2024-39001](https://www.cve.org/CVERecord?id=CVE-2024-39001) | AG-12254      | [31.3.4](https://www.ag-grid.com/changelog?fixVersion=31.3.4) |
| ag-grid-community  | [CVE-2024-38996](https://www.cve.org/CVERecord?id=CVE-2024-38996) | AG-12254      | [31.3.4](https://www.ag-grid.com/changelog?fixVersion=31.3.4) |
| ag-grid-enterprise | [CVE-2024-38996](https://www.cve.org/CVERecord?id=CVE-2024-38996) | AG-12254      | [31.3.4](https://www.ag-grid.com/changelog?fixVersion=31.3.4) |
| ag-grid-enterprise | [CVE-2024-39001](https://www.cve.org/CVERecord?id=CVE-2024-39001) | AG-12065      | [32.0.1](https://www.ag-grid.com/changelog?fixVersion=32.0.1) |
| ag-grid-community  | [CVE-2024-38996](https://www.cve.org/CVERecord?id=CVE-2024-38996) | AG-12065      | [32.0.1](https://www.ag-grid.com/changelog?fixVersion=32.0.1) |
| ag-grid-enterprise | [CVE-2024-38996](https://www.cve.org/CVERecord?id=CVE-2024-38996) | AG-12065      | [32.0.1](https://www.ag-grid.com/changelog?fixVersion=32.0.1) |


## Security Contact

At AG Grid, we take security seriously. If you believe you've discovered a vulnerability, security issue, or have any concerns related to the security of our libraries or websites, we encourage you to contact us directly.

Please email us at [security@ag-grid.com](mailto:security@ag-grid.com) with details of the issue. We appreciate responsible disclosure and will work quickly to investigate and resolve any confirmed concerns.
